Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4a5d0682ce8fc2a4ad6a86fcb4809c0ad23fe673
https://github.com/WebKit/WebKit/commit/4a5d0682ce8fc2a4ad6a86fcb4809c0ad23fe673
Author: Anthony Tarbinian <[email protected]>
Date: 2025-10-20 (Mon, 20 Oct 2025)
Changed paths:
A LayoutTests/ipc/async-with-reply-destination-id-zero-expected.txt
A LayoutTests/ipc/async-with-reply-destination-id-zero.html
M Source/WebKit/Platform/IPC/Connection.cpp
Log Message:
-----------
[CoreIPC] [Fuzz Blocker] Disallow async reply messages with destinationID 0
https://bugs.webkit.org/show_bug.cgi?id=300836
rdar://161637876
Reviewed by Alex Christensen.
This patch disallows CoreIPC async replies with invalid destination IDs.
Invalid destination IDs include 0 and std::numerical_limits<uint64_t>.
This patch adds a check while processing incoming event replies and marks
async event replies as invalid. By marking the message as invalid, the
WebContent process sent this message will be terminated. In IPC testing mode,
it drops the invalid message without termination.
The accompanying test case tries to send an async reply with a destination
ID of 0 and is expected to crash (as indicated in the TestExpectations).
Test: ipc/async-with-reply-destination-id-zero.html
* LayoutTests/ipc/async-with-reply-destination-id-zero-expected.txt: Added.
* LayoutTests/ipc/async-with-reply-destination-id-zero.html: Added.
* Source/WebKit/Platform/IPC/Connection.cpp:
(IPC::Connection::processIncomingMessage):
Canonical link: https://commits.webkit.org/301811@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
